Preparing Delinea (formerly Thycotic) to Work with Keyfactor Command

Configuring the Delinea Secret Server to interoperate with Keyfactor Command and store Keyfactor Command credentials in the Delinea vault involves these preparatory steps before configuration in Keyfactor Command can begin:

The Delinea Secret Server software needs to be installed on a web server in the same forest as the Keyfactor Command server. Keyfactor does not recommend installing the Delinea software on the Keyfactor Command server. Please see the Delinea documentation for system requirements and installation guidance. Keyfactor Command is delivered with the Delinea dependencies included and enabled to allow interoperability with Delinea Secret Server, so no configuration steps are required on the Keyfactor Command server to enable to Delinea software.

Note:  Keyfactor Command interoperates with Delinea/Thycotic version 10.x. Support for version 11.0 and greater will be available in a future release.

You need to create a secret or secrets in the Delinea Secret Server for each certificate store in Keyfactor Command that you wish to manage with Delinea.

To create a secret in Delinea Secret Server:

  1. Open the Delinea Secret Server application in a web browser.
  2. In Secret Server, select Secrets from the left menu.
  3. On the Secrets page, click the plus button in the top right of the window and choose New Secret.
  4. In the Create New Secret dialog, select a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. type of Password (for passwords, usernames, access keys and all similar types of data).
  5. In the Create New Secret dialog, enter at a minimum a Name and the password, username, access key or other information to pass to Keyfactor Command in the Password field.
  6. Click Create Secret.
  7. Back on the screen where you are viewing your freshly created secret, look up at the URL and make note of the number near the end of the URL (see Figure 395: Delinea Secret Key ID Identification). This is the ID for your secret. You will need this when configuring the secret in Keyfactor Command.

Figure 395: Delinea Secret Key ID Identification

Keyfactor Command uses an application user account within Delinea Secret Server to retrieve secrets.

To create an application user account in Delinea Secret Server:

  1. Open the Delinea Secret Server application in a web browser.
  2. In Secret Server, select Admin from the left menu and then select Users.
  3. On the Users page, click Create New.
  4. Towards the bottom of the Edit User page, click Advanced.
  5. Enter a User Name, Display Name, Email Address and Password for the API user.
  6. Under Advanced, check the Application Account box.
  7. Save the user account.

Figure 396: Create a New Application User in Delinea Secret Server

The application user in Delinea Secret Server needs to have permissions to read the secrets that you create for the Keyfactor Command certificate stores. You will need to grant permission separately to each secret you create.

To grant permission to a secret in Delinea Secret Server:

  1. Open the Delinea Secret Server application in a web browser.
  2. In Secret Server, select Secrets from the left menu.
  3. On the Secrets page, select one of your secrets to open it.
  4. On your the page for your secret, go to the Sharing tab.
  5. On the Sharing tab, click Edit.
  6. In the Add Groups / Users box near the bottom, type in the name of your application user, search and select your user.
  7. Give the user, at minimum, the View permission.
  8. Save the secret record.

Figure 397: Grant the Application User Permissions to a Secret in Delinea Secret Server

Keyfactor Command uses an API application in Delinea Secret Server to interact with Secret Server.

To create an API application in Delinea Secret Server:

  1. Open the Delinea Secret Server application in a web browser.
  2. In Secret Server, select Admin from the left menu and then select See All.
  3. On the full Administration menu, select SDK Client Management.
  4. On the SDK Client Management page, click Client OnBoarding.
  5. At the top right, move the Disabled/Enabled slider to the right enable this functionality.
  6. At the bottom right, click the plus next to Rule.
  7. Enter a Name for the rule. Make note of this name. You will reference it when creating a PAM provider in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
  8. In this Details field, enter the IP address of your Keyfactor Command server.
  9. In the Assignment dropdown, select the application user you created for API use with Keyfactor Command.
  10. Check the Require this generated onboarding key box.
  11. Click Save to save the application.
  12. On the SDK Client Management page, click Show Key for your new application (see Figure 398: Locate the Delinea Rule Key). Make note of the key shown. This is your rule key. You will need this when creating a PAM provider in Keyfactor Command (see PAM Provider Configuration in Keyfactor Command).
Tip:  It is very easy when copying the rule key to accidentally grab an extra space at the end of the key. If you paste the key into Keyfactor Command this way when configuring the PAM provider, the error you will receive back from Delinea Secret Server when Keyfactor Command attempts to connect to Delinea Secrect Server does not indicate this is the issue and instead says:

Object reference not set to an instance of an object

Take care to paste the key in with no leading or trailing spaces.

Figure 398: Locate the Delinea Rule Key

Keyfactor Command connects to the Delinea Secret Server using Delinea's SDK. The Delinea SDK component on the Keyfactor Command server generates credential files in the C:\Windows\System32\inetsrv directory that allow Keyfactor Command to access Delinea Secret Server. In order to create the files, the service accounts under which the Keyfactor Command application pool and service are running need write access to that directory. Because this is a protected system directory, the only practical way to grant these users the needed access to this directory is to grant the application pool user and service user local administrative permissions on the Keyfactor Command server. Your Keyfactor Command implementation may be using the same service account for both the application pool role and the service role.